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Digital Transformation is Driving IT 
Transformation for Organizations 


oogle Cloud Platform 


Private Clouds 


Public Clouds 
Internet 
Enterprise On Remote 
Premise End Users 
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... But creates new Challenges for Security 


Don't know how many assets you have 
Don't know when those assets are running 
Credential issues / Authentication failures 

Monthly / weekly scanning too slow [WannaCry] 
Can't scan remote users 
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Qualys Sensors 
Scalable, self-updating & centrally managed 


“Ox 
Physical 


Legacy data 
centers 


Corporate 
infrastructure 


Continuous 
security and 
compliance 
scanning 


$ 


Virtual 


Private cloud 
infrastructure 


Virtualized 
Infrastructure 


Continuous 
security and 
compliance 
scanning 


Cloud/Container 


Commercial laaS & 
PaaS clouds 


Pre-certified in 
market place 


Fully automated with 
API orchestration 


Continuous security 
and compliance 
scanning 


Cloud Agents 


Light weight, multi- 
platform 


On premise, elastic 
cloud & endpoints 


Real-time data 
collection 


Continuous 
evaluation on 
platform for security 
and compliance 


Passive 


Passively sniff on 
network 


Real-time device 
discovery & 
identification 


dentification of APT 
network traffic 


Extract malware files 
from network for 
analysis 


API 
Integration with 


Threat Intel feeds 


CMDB 
Integration 


Log connectors 


Qualys Cloud Agent Platform 


© 


Lightweight 
Software 
Agent 


(collects metadata only) 


0o. 
eo 


© 
On-Premise 
Servers 
Public Cloud 


User 
Endpoints 


Windows 
Linux 
Mac 
AIX 
Cloud Native 


Delivers 
Multiple 
Security 
Functions in 
one Agent 
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Central Management / API [el 


Qualys Suite of 
Applications (Fm) 


Efficient Network Usage 50 - 350 KB / day 


(Delta Processing average) 


Lightweight Metadata ~1-29 P 
Collection (tunable) 70 CPU 


Windows, Linux, Mac, AIX 3 MB application 


© Qualys. 


Qualys Cloud Agent 


IT, Security, Compliance Apps 
at | Asset Inventory 

Vulnerability Management 

Policy Compliance 

Indication of Compromise Detection 


@ File Integrity Monitoring 


Upcoming IT App (Beta November 2018) 


Pm] Patch Management 


P Micro 


22 Winde 


T? Micro 


Version Statua/Last Chockedin 


Agent Modules 


es © Œ 


fioc) 


Œ «as cam 
I 


Œ as a 
Œ 


+ Configursti-- 


Tags 


Cloud ; 
[ OPerai 5 


Cloud í 
l OPerai 


Cloud í 
{ OPerai 


Cloud í 
{ OPeral 
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Try and Manage 
Apps on One 
Cloud Agent 


End the fight with IT to deploy 
security agents! 


Remove point-solution agents 
from your endpoints 


Consolidate security tools 


Activation Key 


Edit the activation key 


Turn help tips: On | Off x 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By 
default this key is unlimited - it allows you to add any number of agents at any time 


Title Global_user_endpoints 
{ global_user_endpo. 


Provision Key for these applications 


Vulnerability Management 
98919 Licenses Remaining 


File Integrity Monitoring Tele 
998 Licenses Remaining 


Set limits 


Select | Create 


Policy Compliance 
99134 Licenses Remaining 


Indication of Compromise 
96 Licenses Remaining 


Unlimited Key 
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Cloud Agent 


No scan windows needed - always collectin 
Extends | à y g 
Find vulnerabilities faster 


Network Scanning Detect a fixed vulnerability faster 


Many new Apps only available on Agent 


© Best for assets that can't be scanned 


Unable to get credentials / authentication 


[til failures 


Remote systems in branch offices / NAT 
Roaming user endpoints 


Cloud / Elastic deployments 
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Cloud Agent Adoption 


(Units in millions) 


Number of Cloud Agents Sold 


LTM LTM LTM LTM 
Q4 2017 Q1 2018 Q2 2018 Q3 2018 
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Cloud Agent VM Usage and 
Growth Drivers 10,000,000s pess iat 


- Visibility - Asset 
Inventory 


- Increase endpoints 


1,000,000 


S - Increase in public cloud 


premise servers to 
- Growth in endpoint public cloud 
deployments N Itiol lys A 
2017 (50-300K) Multiple Qualys Apps 
- Add Patch 
- DevSecOps - Build 


- ` Initial end-users 


100,000s 


Deploy on servers to (WannaCry) CA into Cl/CD/ 
overcome customer EE CANE DevOps 
limitations with their network à SLI SOURIS 
scanning and Azure - ` Add Policy 
4 \ Compliance 

- Auth issues - Add Policy 
= Scan windows Compliance = Add FIM 
- More frequent VM - Addloc 

assessments © Qualys. 


Cloud Agent CPU Tuning - Linux 


VM: < 1.2% CPU peak usage for less than 15 
ins 


tic: Average v | Time Range: 


t 12 Hours v | Period: D 


CPU Utilization ( Percent ) 


AWS EC2 


not allowed to 
scan nano, 


micro, or small 
instances 0.801 

using network 
scanning 


AWS t2.micro instance running Cloud Agent 
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S | AS Nr 


File Help 


Cloud Agent CPU Tuning - Windows 


SME- PX AER] D] H 
100 
90: 
80 | 
i Tunable CPU Limit | 
60 x | 
: 8% f d 1 
Example: 8% configured max on 1-core | 
7 ive: <2% on 4 | 
(Effective: <2% on 4-core | 
40 
30 
20 
10 I 
| 
0 | 
4:13:22 PM 9:30:26 AM 
Mon 3/20/17 5:30:00 PM 6:30:00 PM 7:30:00 PM 8:30:00 PM 9:30:00 PM  10:30:00PM 11:30:00 PM 12:30:00 AM  1:30:00 AM 2:30:00 AM 3:30:00 AM 4:30:00 AM 5:30:00 AM 6:30:00 AM 7:30:00 AM 8:30:00 AM Tue 3/21/17 
MT » 
Last 0.060 Average 1.327 Minimum | 0.000 Maximum | 99.890 Duration 17:17:03 
Show Color Scale Counter => č Instance Parent Object Computer 
T 1.0 % Privileged Time QualysAgent Process 
a ia 
M a Y LU % User Time QualysAgent Process 
— = = Y a a = — aU = — = > 


London | 16 November 2017 
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Cloud Native - Collect Provider Metadata 


. Google Compute 
AWS EC2 Microsoft Azure Platform 


accountld dnsservers hostname 

amild ipv6 instanceld 
availabilityZone location macAddress 
hostname macAddress machineType 
hostnamePublic name network 
instanceld offer privatelpAddress 
instanceType osType projectld 
kernelld privatelpAddress projectIdNo 
macAddress publiclpAddress publiclpAddress 
privatelpAddress publisher zone 
publiclpAddress resourceGroupName 

region tags 

reservationld subnet 

securityGrouplds subscriptionld 

securityGroups version 

subnetld vmid 

VPCld vmSize 


Agent collects metadata locally 
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accountlid 

ami-id 
ami-launch-index 
availabilityZone 
hostname 
imageld 


=> instance-id 


instance Type 
local-hostname 
local-ipv4 

mac 

privatelp 

profile 
public-hostname 
public-ipv4 
region 
reservation-id 
security-groups 


Cloud Provider Metadata «ws ec example) 


383031258652 

ami-d874e0a0 

2 

us-west-2a 
ip-172-31-36-214.us-west-2.compute.internal 
ami-d874e0a0 

i-O3e86d77745bb2bba 

t2.micro 
ip-172-31-36-214.us-west-2.compute.internal 
172.31.36.214 

06:26:0c:74:c5:9a 

172.31.36.214 

default-hvm 
ec2-18-236-81-63.us-west-2.compute.amazonaws.com 
18.236.81.63 

us-west-2 

r-06e5580c2918a00ba 

launch-wizard-2 
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Cloud Instance Metadata Merge 
and Agent Dynamic License Management 


EC2 Connector - Available now 


aws.ec2.accountid 
aws.ec2.availabilityZone 
aws.ec2.hostname 
aws.ec2.hostnamePublic 
aws.ec2.imageld 


dws.ec2.instanceState 


aws.ec2.instance Type 
aws.ec2.kernelld 
aws.ec2.privateDNS 
aws.ec2.privatelPAddress 
aws.ec2.publicDNS 
aws.ec2.publiclPAddress 
aws.ec2.region.code 
aws.ec2.region.name 
aws.ec2.spotinstance 
aws.ec2.subnetld 
aws.ec2.VPCld 


Automatically merge 
on Instance ID (Nov 


~œ Automated Rules (Dec 
2018) 
“When instanceState = 
TERMINATED, then remove Cloud 
Agent license” 


Cloud Agent - Available now 
aws.ec2.accountld 

aws.ec2.availabilityZone 

aws.ec2.hostname 

aws.ec2.imageld 
aws.ec2.instance Type 
aws.ec2.kernelld 
aws.ec2.privateDNS 
aws.ec2.privatelPAddress 
aws.ec2.publicDNS 
aws.ec2.publiclPAddress 
aws.ec2.region.code 
aws.ec2.region.name 
aws.ec2.subnetld 
aws.ec2.VPCld 
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Integrate Cloud Agent into DevOps 


O Q 
PA ile, 
Use Cases for DevOps Use Cases for Security 
Build Cloud Agent into gold image or End-to-end lifecycle tracking - 
auto-deploy with CI/CD - self-service develooment, deployment, production, 
results from Qualys API/UI & integrations decommission 
Get vulnerability and configuration Same Cloud Agent across cloud, on- 
posture of OS and application along the oremise, endpoint, hybrid 


DevOps pipeline 

Single platform as DevOps tools evolve 
Fix/verify security issues before going - Qualys Container Security, Jenkins 
into production integration, API automation, more 
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Cloud Agent - Microsoft Azure Integration 


Security Center - Overview > Recommendations 
Recommendations 


V aw 


MONITORING RECOMMENDATIONS TOTAL 
pp Data collection installation status 31 of 56 VMs SSS _= 
Virtual machines (classic) 
Virtual machines 
E SA databases VIRTUAL MACHINES RECOMMENDATIONS TOTAL 
e Endpoint Protection not installed 4 of 56 VMs = 
Security Center 
Missing scan data 11 of 56 VMs c=) 
Remediate OS vulnerabilities (by Microsoft) 5 of 56 VMs = 
Missing system updates 1 of 56 VMs I 
Endpoint Protection health failures 1 of 56 VMs I 
Missing disk encryption 5 of 56 VMs [=] 
OS version not updated 2 of 4 Roles Ean 
Vulnerabilities found 2 of 56 VMs Qo 
Healthy 6 of 60 VMs & Roles = 
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u 


Add a vulnerability assessment solution 


` ¢ Filter L Install on 2 VMs (=. 


VIRTUAL MACHINE ^ = SUBSCRIPTION NAME ^ STATE 


vm3 ASC DI 


vm4 ASC D 


Resol 


Add a Vulnerability Assessment 


Create New 


Use existing solution 


Q Qualys, Inc. 
= Qualys-VA 


^ 


SEVERITY 


^ 


A Medium 
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RESOURCE GROUP 
SUBSCRIPTION 
VIRTUAL IP 
OPERATING SYSTEM 
VERSION 

STATUS 
MONITORING STATE 


PREVENTION STATUS 


Security Solutions 
SYSTEM UPDATES 


OS VULNERABILITIES 


VULNERABILITY SCANNER - 


PREVIEW 


Recommendations 


HS_RESOURCEGROUP 


Visual Studio Premium with MSDN 


Windows 

Compute 

Deallocated 

Monitored by Azure Security Center 


High severity 


Microsoft (Last scan time - 10/3/2016 1:22 PM) 


Microsoft (Last scan time - 10/3/2016 1:22 PM) 


Qualys (Last scan time - 10/3/2016 11:56 PM) 


20 


VULNERABILITY NAME de 


Enabled DCOM 

Allowed Null Session 
Enabled Cached Logon Cre... 
Machine Information Discl... 
Microsoft Windows Explore... 
Windows Explorer Autopla... 
Access to File Share is Enab... 
ActiveX Controls Enumerated 
Antivirus Product Not Dete... 
Disabled Clear Page File 
Enabled Caching of Dial-up... 
Enabled Display Last Usern... 
File Access Permissions for... 
Host Scan Time 

Hyper-V Host Information... 
Installed Applications Enu... 
Internet Protocol version 6 ... 
IPSEC Policy Agent Service... 
Message For Users Attempt.. 


FREEREEEREEEREEEEEEE § 


> 


a 


ï ï ï ï ï PP PPP ï ï ï ï ï ï PP 3 ë 


© High 
à Medium 
à Medium 
à Medium 
à Medium 
à Medium 
© Low 
© Low 
© Low 
© Low 
@ Low 
@ Low 
@ Low 
© Low 
© Low 
© Low 
@ Low 
@ Low 
@ Low 
© Low 
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PLEEL EELS 


ï ï ï ï ï ï ï ï DE 


VULNERABILITY NAME 


SEVERITY 


DESCRIPTION 


SOLUTION 


Enabled DCOM 
© High 


The Distributed Component Object Model (DCOM) is a 
protocol that enables software components to 
communicate directly over a network. The Distributed 
Component Object Model (DCOM) is enabled on this 
system. 


Refer to Microsoft article Best Practices for Mitigating 
RPC and DCOM Vulnerabilities to obtain information 
on vulnerabilities in DCOM and ways to mitigate those 
vulnerabilities. Information on disabling DCOM can be 
found at the Microsoft Technet article called How to 
Disable DCOM Support in Windows. For disabling 
DCOM on Windows 7, Windows 8, Windows Server 
2008, Windows Server 2008 R2, and Windows Server 
2012 refer to Microsoft's article Enable or Disable 
DCOM. 
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Vulnerability Spread at Speed of DevOps 


s, and 


Create a resource Virtual machines $ Compute 


Default Dire 


All services acc Edit columns ++ More V Filter 


ES 


O | 
on Recommended Red Hat 7.4 
EX RHEL74-CC1-Azure Marketplace 


Resource groups 


App Services 


Function Apps ED RHEL75-CC2-Azure 


Image 


SQL databases Le | RHEL75-CC3-USEast2-Azure 


© redhat 


Red Hat 
Enterprise Linux 
RedHat 


Azure Cosmos DB 


Windows Server Ubuntu Server SQL Server 2017 


Virtual machines Enterprise 


Microsoft Canonical Microsoft 


Load balancers 


Storage accounts Virtual Machine Images 


Virtual networks 


Azure Active Directory Quest Quest 


Monitor 


Unified RemoteScan Pivotal Cloud Aqua Container 
Communications Enterprise Foundry on Security Platform 


Quest Software A Quest Software A Pivotal Software. À Aqua Security À 


Advisor 


Security Center 
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Auto-Deploy Qualys Cloud Agen 


Create à resource 


All services 


Function Apps 


SQL databases 


P Azure Cosmos DB 


Virtual machines 


Load balancers 


Storage accounts 


Virtual networks 


Azure Active Directory 


Monitor 


Advisor 


Security Center 


Cost Management + B. 


Help + support 


Security Center - Security soluti 


RESOURCE SECURITY HYG! 


Hi Se 


THREAT PROTECTION 


z 
= 


CLOUD DEFENSE 


v Connected solutions (1) 


rity solutions currently conne 


© Healthy 


VIEW 


v Add data sources (5) 


Non-Azure computers 


s the sol 


Common Event Format 


UBLISHER 


Vulnerability Results 


RHEL74-CC1-Azure 


View Mode Vulnerabilities 


Asset Summary Select the severity you would like to view by 


an Sent sev2 


Agent Summary Confirmed Vulnerabilities Potential Vulnerabilities 


B sev5 1 B sev5 0 
ë 24 View 3 View 
Network Informati @ sev4 16 B sev4 0 


WH sev3 7 WM sev3 3 
Open Ports 
Installed Software 


Vulnerabilities 


Vulnerability Detection by Status Inthe last 7 Days 
Threat Protection RTIs 


File Integrity Monitoring Active Reopened Fixed 


Indication of Compromise 2 7 


Alert Notifications i 3 Co e 
Potentia 'otent Potentia 
Azure VM Information 
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Threat Protection Exploitability © 


View Mode 

Asset Summary 

System Informatio! 
Agent Summary 
Network Information 
Open Ports 

Installed Software 
Vulnerabilities 

File Integrity Monitoring 
Indication of Compromise 
Alert Notifications 


Azure VM Information 


Threat Protection Summary 


Total Vulnerabilities by RTis 
B Zero Day 


72 Q`» W Easily Exploitable 
va 


Unpatchable 
M Active Attacks 


LATEST THREATS FROM LIVE FEED 


Title 

OpenSSH User name Enumeration Vulnerability : CVE-2018-15473 
L1 Terminal Fault /Foreshadow Attack aka L1TF Attack 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

SegmentSmack: CVE-2018-5390 


WM High Lateral Movement 
B High Data Loss 
W Vulnerable to DOS 


B Public Exploit 


Published 


8/29/2018 
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Cloud Agent Roadmap 


Agent Releases 


Mac 1.7.2 - released Aug 29 

Windows 2.1.1 - released Oct 22 

Linux 2.3 - Dec rollout for Policy Compliance UDCs 
httos://www.qualys.com/documentation/release-notes 


Features 


Cloud Provider Metadata (AWS, Azure, GCP) - available 
EC2 Connector / Cloud Agent merge - available 

Nov - Windows agent to support Patch Management Beta 
Dec - Policy Compliance UDCs (Windows / Linux / AIX ) 


Dec - Agent Lifecycle Management 
(Public cloud State-based w/ Connector / Any asset using Time-based) 


© Qualys. 
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Qualys Indication of Compromise 


BOCHO the Next Level 


Management, Qualys, Inc. 


Adversary TTPs are Changing 


Early 2010s 
Zero-day Vulnerabilities 
(Nation State, Industrial Espionage, Black Market) 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 
(Good, Fast, Cheap - Pick 3) 
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Known Critical Vulnerabilities 
are Increasing 


6-7K vulnerabilities are Reported Vulnerabilities 
disclosed each year* 


30-40% are ranked as 
“High” or “Critical” severity 


“Mean Time to 
Weaponize” (MTTW) is 
rapidly decreasing year- 
over-year 
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Announcing: CVE-2018-12238 


Multiple Symantec Products CVE-2018-12238 Local Security Bypass 
Vulnerability 


Bugtraq ID: 105917 

CVE: CVE-2018-12238 

Remote: No Local: Yes 
Published: Nov 28 2018 12:00AM 
Credit: Qualys Malware Research Lab @]]») 371337 


QID 371338 


Vulnerable: 

Symantec Norton AntiVirus 22.7 
Symantec Norton AntiVirus 21.0 

Symantec Norton AntiVirus 17.6.0.32 
Symantec Endpoint Protection Cloud 12.1.6 
Symantec Endpoint Protection Cloud 14 
Symantec Endpoint Protection 12.1.6 MP4 
Symantec Endpoint Protection 12.1.6 

+ 95 other products 
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Vulnerability Management Lifecycle 


Asset Vulnerability 
Inventory _ 7 Management 
Threat Risk and 
Patch ^ Prioritization 
Management 
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Get Proactive - Reduce the Attack Surface 


Immediately Identify Vulnerabilities in Production 
Notify IT Asset Owner to Patch/Stop the Instance 
Control Network Access / Cloud Security Groups 


Change Configuration to Limit Access (Compliance) 
Add Detection and Response - Endpoint & Network 
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Proactively Hunt, Detect, and Respond 


Indication of 
Compromise ot. 


Detect IOCs, IOAs, and 
verify Threat Intel 


$ me + 
L . x 

S GA Passive Network 
Ç Wes: 

É Ea pa Sensor 

T D 

D 

V Èn = 

\ ©, > Q What new devices are on the 

| 3 > network? Are there new/ 

E different traffic patterns? 
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Organizations Struggle to Answer Basic Questions 


Are these hashes on/running in my network? 
Are these mutexes / processes / registry keys? 


Did any endpoints connect to these IPs / Domains? 
Are there any connections to TOR exit nodes? 


What system is the first impacted? “Patient Zero” 
Did this soread to others systems? When? 
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Qualys IOC Use Cases - 
Visibility Beyond Anti-Virus 


Threat Intel Verification 


Threat Intel Feeds / Mandated to Verify Find Suspicious Activity 
“Is this hash, registry, process, mutex on my 


network?” 


Hunting / 


Indicator of Activity hunting with pre-built 
and user-defined queries for Fileless attacks 


API 


Integration 


“Look Back” Investigation 
after a known breach 


find the first occurrence of a breach 


SIEM 


Detect Known/Unknown 
Malware Family Variants 


and Threat Feeds (OEM, customer) 
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Threat Intel Verification 


o Search for the file hash 


October 6, 2017 ne QD 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files on ` oe ae Serine A : cae 
‘edith extensions from a earl cade lick Indication of Compromise Qualys Demo (quays_qd) 
Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making Hunting 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 


its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified d926e76030f 19f 1 f7ef@b3cd1 adesoF9 Last7 Days Y 
version of Mimikatz. 


Technical Details 2 
Total Event- 
Anti-Virus Coverage 
VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 
date of this report 
NO REMAINING FILTERS View related FIM Events 


TIME v OBJECT ASSET 


Delivery - MD5: 71b6a493388e7d0b40c83ce903bc6b04 
Installation - MD5: 7e37ab34ecdcc3e77e24522ddfd4852d 
Credential Stealer (new) - MDS: d926e76030f19f1f7ef0b3cd1a4e80f9 


a day ago =) svchost.exe WIN2008R2-11566 


swehi i WIN7-320860-T44 


10.11,114 
Secondary Actions 


NotPetya leverages multiple propagation methods to spread within an infected network. 
According to malware analysis, NotPetya attempts the lateral movement techniques below: 


@ Threat Intelligence lists attack © Find the object there. 
information ... 
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Malware Hides with Stolen Code-Signing Certificates 


welivesecurity » cm 


Certificates stolen from 
Taiwanese tech-companies 


misused in Plead malware 
campaign 


D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly 
skilled cyberespionage group focused on East Asia, particularly Taiwan 


https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/ 
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IOC 2.0 Release (Dec 2018) 


Responses - Alerting and Actions 
Send alerts via Email, Slack, PagerDuty for any Hunting (QQL) searches 


UI Updates 
Event Relationshio Tree / Trending Widgets / Event Group By Asset 


Threat Feed (find malware that legacy AV may have missed) 
Known Bad - 1B hashes 
CVE-to-Malware hashes (shared with Threat Protection) 


New Scoring Model 
Prioritization for Investigation and Response (confirmed vs. suspicious) 
Integration with Alerting / Actions 


IOC API 
Integrate with any 3'4 party SIEM / TIP 


Splunk TA + Dashboards - Jan 2019 © 
Qualys. 


New IOC CVE - File Reputation Threat Feed 


Find Vulnerabilities 


Verify that 
vulnerabilities have 
been remediated 


TP 


Real-Time Indicators 
for which 
vulnerabilities have 
known / POC exploits 


Prioritize vulnerability 
remediation on 
likelihood of attack 


Threat Feed of 
malware hashes used 
in real-world 
vulnerability exploits 


Prioritize vulnerability 

remediation based on 

successful attacks in 
your network 
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Indication of Compromise 


Threat Intel Verification 
Hunting 
Alerting 
Create Emergency Patch Job from CVE Exploitation 


18fc1b9b29a2d281ec9310f9f226ad7/e3cbh9c558f696c37390bbac/72baa8ba8 
168.63.129.16 
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